summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--kerberosIV/src/appl/afsutil/pagsh.c3
-rw-r--r--kerberosIV/src/appl/bsd/login.c37
-rw-r--r--kerberosIV/src/appl/bsd/su.c37
-rw-r--r--kerberosIV/src/appl/bsd/sysv_environ.c36
-rw-r--r--kerberosIV/src/appl/kauth/kauth.c8
-rw-r--r--kerberosIV/src/appl/telnet/libtelnet/kerberos.c3
-rw-r--r--kerberosIV/src/appl/telnet/telnetd/state.c9
-rw-r--r--kerberosIV/src/appl/telnet/telnetd/telnetd.c3
-rw-r--r--kerberosIV/src/lib/auth/afskauthlib/verify.c6
9 files changed, 96 insertions, 46 deletions
diff --git a/kerberosIV/src/appl/afsutil/pagsh.c b/kerberosIV/src/appl/afsutil/pagsh.c
index 0ac6d8a541d..82cc30abc5b 100644
--- a/kerberosIV/src/appl/afsutil/pagsh.c
+++ b/kerberosIV/src/appl/afsutil/pagsh.c
@@ -76,7 +76,8 @@ main(int argc, char **argv)
} while(f < 0);
close(f);
unlink(tf);
- setenv("KRBTKFILE", tf, 1);
+ if(setenv("KRBTKFILE", tf, 1) != 0)
+ errx(1, "cannot set KRBTKFILE");
i = 0;
diff --git a/kerberosIV/src/appl/bsd/login.c b/kerberosIV/src/appl/bsd/login.c
index 55b660e1eae..769bfb46e06 100644
--- a/kerberosIV/src/appl/bsd/login.c
+++ b/kerberosIV/src/appl/bsd/login.c
@@ -45,7 +45,7 @@
#include <sys/capability.h>
#endif
-RCSID("$KTH: login.c,v 1.125 1999/11/30 19:24:01 bg Exp $");
+RCSID("$KTH: login.c,v 1.125.2.2 2000/06/23 02:33:07 assar Exp $");
#ifdef OTP
#include <otp.h>
@@ -596,22 +596,28 @@ main(int argc, char **argv)
if (pwd->pw_change || pwd->pw_expire)
gettimeofday(&tp, (struct timezone *)NULL);
- if (pwd->pw_change)
+ if (pwd->pw_change) {
+ time_t t;
+
if (tp.tv_sec >= pwd->pw_change) {
printf("Sorry -- your password has expired.\n");
changepass=1;
} else if (pwd->pw_change - tp.tv_sec <
- 2 * DAYSPERWEEK * SECSPERDAY && !quietlog)
+ 2 * DAYSPERWEEK * SECSPERDAY && !quietlog) {
+ t = pwd->pw_change;
printf("Warning: your password expires on %s",
- ctime(&pwd->pw_change));
+ ctime(&t));
+ }
if (pwd->pw_expire)
if (tp.tv_sec >= pwd->pw_expire) {
printf("Sorry -- your account has expired.\n");
sleepexit(1);
} else if (pwd->pw_expire - tp.tv_sec <
- 2 * DAYSPERWEEK * SECSPERDAY && !quietlog)
+ 2 * DAYSPERWEEK * SECSPERDAY && !quietlog) {
+ t = pwd->pw_expire;
printf("Warning: your account expires on %s",
- ctime(&pwd->pw_expire));
+ ctime(&t));
+ }
#endif /* defined(HAVE_PASSWD_CHANGE) && defined(HAVE_PASSWD_EXPIRE) */
/* Nothing else left to fail -- really log in. */
@@ -659,7 +665,8 @@ main(int argc, char **argv)
sysv_newenv(argc, argv, pwd, term, pflag);
#ifdef KERBEROS
if (krbtkfile_env)
- setenv("KRBTKFILE", krbtkfile_env, 1);
+ if(setenv("KRBTKFILE", krbtkfile_env, 1) != 0)
+ errx(1, "cannot set KRBTKFILE");
#endif
if (tty[sizeof("tty")-1] == 'd')
@@ -788,6 +795,11 @@ main(int argc, char **argv)
if(!rootlogin)
exit(1);
}
+ if (uid != 0 && setuid(0) != -1) {
+ syslog(LOG_ALERT | LOG_AUTH,
+ "Failed to drop privileges for user %d", uid);
+ errx(1, "Sorry");
+ }
}
@@ -953,6 +965,7 @@ dolastlog(int quiet)
#if defined(HAVE_LASTLOG_H) || defined(HAVE_LOGIN_H)
struct lastlog ll;
int fd;
+ time_t t;
if ((fd = open(_PATH_LASTLOG, O_RDWR, 0)) >= 0) {
lseek(fd, (off_t)pwd->pw_uid * sizeof(ll), SEEK_SET);
@@ -966,8 +979,8 @@ dolastlog(int quiet)
sleepexit(1);
}
if (!quiet) {
- printf("Last login: %.*s ",
- 24-5, ctime(&ll.ll_time));
+ t = ll.ll_time;
+ printf("Last login: %.*s ", 24-5, ctime(&t));
if (*ll.ll_host != '\0') {
printf("from %.*s\n",
(int)sizeof(ll.ll_host),
@@ -983,8 +996,8 @@ dolastlog(int quiet)
if (!quiet) {
if (read(fd, &ll, sizeof(ll)) == sizeof(ll) &&
ll.ll_time != 0) {
- printf("Last login: %.*s ",
- 24-5, ctime(&ll.ll_time));
+ t = ll.ll_time;
+ printf("Last login: %.*s ", 24-5, ctime(&t));
if (*ll.ll_host != '\0')
printf("from %.*s\n",
(int)sizeof(ll.ll_host),
@@ -998,7 +1011,7 @@ dolastlog(int quiet)
}
#endif /* SYSV_SHADOW */
memset(&ll, 0, sizeof(ll));
- time(&ll.ll_time);
+ ll.ll_time = time(NULL);
strncpy(ll.ll_line, tty, sizeof(ll.ll_line));
if (hostname)
strncpy(ll.ll_host, hostname, sizeof(ll.ll_host));
diff --git a/kerberosIV/src/appl/bsd/su.c b/kerberosIV/src/appl/bsd/su.c
index 6dcc0fbe5ba..e93a2b43ba3 100644
--- a/kerberosIV/src/appl/bsd/su.c
+++ b/kerberosIV/src/appl/bsd/su.c
@@ -33,7 +33,7 @@
#include "bsd_locl.h"
-RCSID ("$KTH: su.c,v 1.70 1999/11/13 06:14:11 assar Exp $");
+RCSID ("$KTH: su.c,v 1.70.2.1 2000/06/23 02:42:28 assar Exp $");
#ifdef SYSV_SHADOW
#include "sysv_shadow.h"
@@ -225,12 +225,22 @@ main (int argc, char **argv)
if (setgid (pwd->pw_gid) < 0)
err (1, "setgid");
- if (initgroups (user, pwd->pw_gid))
- errx (1, "initgroups failed.");
+ if (initgroups (user, pwd->pw_gid)) {
+ if (errno == E2BIG) /* Member of to many groups! */
+ warn("initgroups failed.");
+ else
+ errx(1, "initgroups failed.");
+ }
if (setuid (pwd->pw_uid) < 0)
err (1, "setuid");
+ if (pwd->pw_uid != 0 && setuid(0) != -1) {
+ syslog(LOG_ALERT | LOG_AUTH,
+ "Failed to drop privileges for user %s", pwd->pw_name);
+ errx(1, "Sorry");
+ }
+
if (!asme) {
if (asthem) {
char *k = getenv ("KRBTKFILE");
@@ -240,18 +250,24 @@ main (int argc, char **argv)
if (environ == NULL)
err (1, "malloc");
environ[0] = NULL;
- setenv ("PATH", _PATH_DEFPATH, 1);
+ if(setenv ("PATH", _PATH_DEFPATH, 1) != 0)
+ errx(1, "cannot set PATH");
if (t)
- setenv ("TERM", t, 1);
+ if(setenv ("TERM", t, 1) != 0)
+ errx(1, "cannot set TERM");
if (k)
- setenv ("KRBTKFILE", k, 1);
+ if(setenv ("KRBTKFILE", k, 1) != 0)
+ errx(1, "cannot set KRBTKFILE");
if (chdir (pwd->pw_dir) < 0)
errx (1, "no directory");
}
if (asthem || pwd->pw_uid)
- setenv ("USER", pwd->pw_name, 1);
- setenv ("HOME", pwd->pw_dir, 1);
- setenv ("SHELL", shell, 1);
+ if(setenv ("USER", pwd->pw_name, 1) != 0)
+ errx(1, "cannot set USER");
+ if(setenv ("HOME", pwd->pw_dir, 1) != 0)
+ errx(1, "cannot set HOME");
+ if(setenv ("SHELL", shell, 1) != 0)
+ errx(1, "cannot set SHELL");
}
if (iscsh == YES) {
if (fastlogin)
@@ -343,7 +359,8 @@ kerberos (char *username, char *user, int uid)
"%s_%s_to_%s_%u", TKT_ROOT, username, user,
(unsigned) getpid ());
- setenv ("KRBTKFILE", krbtkfile, 1);
+ if(setenv ("KRBTKFILE", krbtkfile, 1) != 0)
+ errx(1, "cannot set KRBTKFILE");
krb_set_tkt_string (krbtkfile);
/*
* Set real as well as effective ID to 0 for the moment,
diff --git a/kerberosIV/src/appl/bsd/sysv_environ.c b/kerberosIV/src/appl/bsd/sysv_environ.c
index d1faa0120ad..8e7edce1556 100644
--- a/kerberosIV/src/appl/bsd/sysv_environ.c
+++ b/kerberosIV/src/appl/bsd/sysv_environ.c
@@ -36,7 +36,8 @@ read_etc_environment (void)
if (val == NULL)
continue;
*val = '\0';
- setenv(buf, val + 1, 1);
+ if(setenv(buf, val + 1, 1) != 0)
+ errx(1, "cannot set %s", buf);
}
fclose (f);
}
@@ -110,12 +111,14 @@ void sysv_newenv(int argc, char **argv, struct passwd *pwd,
for (pp = preserved; pp->name; pp++)
if (pp->value)
- setenv(pp->name, pp->value, 1);
+ if(setenv(pp->name, pp->value, 1) != 0)
+ errx(1, "cannot set %s", pp->name);
/* The TERM definition from e.g. rlogind can override an existing one. */
if (term[0])
- setenv("TERM", term, 1);
+ if(setenv("TERM", term, 1) != 0)
+ errx(1, "cannot set TERM");
/*
* Environment definitions from the command line overrule existing ones,
@@ -130,7 +133,8 @@ void sysv_newenv(int argc, char **argv, struct passwd *pwd,
while (argc && *argv) {
if (strchr(*argv, '=') == 0) {
snprintf(buf, sizeof(buf), "L%d", count++);
- setenv(buf, *argv, 1);
+ if(setenv(buf, *argv, 1) != 0)
+ errx(1, "cannot set %s", buf);
} else {
for (cp = censored; cp->prefix; cp++)
if (STREQN(*argv, cp->prefix, cp->length))
@@ -143,20 +147,25 @@ void sysv_newenv(int argc, char **argv, struct passwd *pwd,
/* PATH is always reset. */
- setenv("PATH", pwd->pw_uid ? default_path : default_supath, 1);
+ if(setenv("PATH", pwd->pw_uid ? default_path : default_supath, 1) != 0)
+ errx(1, "cannot set PATH");
/* Undocumented: HOME, MAIL and LOGNAME are always reset (SunOS 5.1). */
- setenv("HOME", pwd->pw_dir, 1);
+ if(setenv("HOME", pwd->pw_dir, 1) != 0)
+ errx(1, "cannot set HOME");
{
char *sep = "/";
if(KRB4_MAILDIR[strlen(KRB4_MAILDIR) - 1] == '/')
sep = "";
roken_concat(buf, sizeof(buf), KRB4_MAILDIR, sep, pwd->pw_name, NULL);
}
- setenv("MAIL", buf, 1);
- setenv("LOGNAME", pwd->pw_name, 1);
- setenv("USER", pwd->pw_name, 1);
+ if(setenv("MAIL", buf, 1) != 0)
+ errx(1, "cannot set MAIL");
+ if(setenv("LOGNAME", pwd->pw_name, 1) != 0)
+ errx(1, "cannot set LOGNAME");
+ if(setenv("USER", pwd->pw_name, 1) != 0)
+ errx(1, "cannot set USER");
/*
* Variables that may be set according to specifications in the defaults
@@ -167,11 +176,14 @@ void sysv_newenv(int argc, char **argv, struct passwd *pwd,
*/
if (strcasecmp(default_altsh, "YES") == 0)
- setenv("SHELL", pwd->pw_shell, 1);
+ if(setenv("SHELL", pwd->pw_shell, 1) != 0)
+ errx(1, "cannot set SHELL");
if (default_hz)
- setenv("HZ", default_hz, 0);
+ if(setenv("HZ", default_hz, 0) != 0)
+ errx(1, "cannot set HZ");
if (default_timezone)
- setenv("TZ", default_timezone, 0);
+ if(setenv("TZ", default_timezone, 0) != 0)
+ errx(1, "cannot set TZ");
/* Non-environment stuff. */
diff --git a/kerberosIV/src/appl/kauth/kauth.c b/kerberosIV/src/appl/kauth/kauth.c
index 91d32e0f39d..b0d64dd0d55 100644
--- a/kerberosIV/src/appl/kauth/kauth.c
+++ b/kerberosIV/src/appl/kauth/kauth.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -41,7 +41,7 @@
#include "kauth.h"
-RCSID("$KTH: kauth.c,v 1.97 1999/12/02 16:58:31 joda Exp $");
+RCSID("$KTH: kauth.c,v 1.97.2.1 2000/02/28 03:42:51 assar Exp $");
krb_principal princ;
static char srvtab[MaxPathLen];
@@ -233,7 +233,6 @@ main(int argc, char **argv)
case 'd':
krb_enable_debug();
_kafs_debug = 1;
- aflag++;
break;
case 'f':
strlcpy(srvtab, optarg, sizeof(srvtab));
@@ -316,7 +315,8 @@ main(int argc, char **argv)
}while(f < 0);
close(f);
unlink(tf);
- setenv("KRBTKFILE", tf, 1);
+ if(setenv("KRBTKFILE", tf, 1) != 0)
+ errx(1, "cannot set KRBTKFILE");
krb_set_tkt_string (tf);
}
diff --git a/kerberosIV/src/appl/telnet/libtelnet/kerberos.c b/kerberosIV/src/appl/telnet/libtelnet/kerberos.c
index b4beb669054..00ca951ecd3 100644
--- a/kerberosIV/src/appl/telnet/libtelnet/kerberos.c
+++ b/kerberosIV/src/appl/telnet/libtelnet/kerberos.c
@@ -331,7 +331,8 @@ kerberos4_is(Authenticator *ap, unsigned char *data, int cnt)
"%s%u",
TKT_ROOT,
(unsigned)pw->pw_uid);
- setenv("KRBTKFILE", ts, 1);
+ if(setenv("KRBTKFILE", ts, 1) != 0)
+ errx(1, "cannot set KRBTKFILE");
if (pw->pw_uid == 0)
syslog(LOG_INFO|LOG_AUTH,
diff --git a/kerberosIV/src/appl/telnet/telnetd/state.c b/kerberosIV/src/appl/telnet/telnetd/state.c
index 64562e136b7..3bd0ff130c2 100644
--- a/kerberosIV/src/appl/telnet/telnetd/state.c
+++ b/kerberosIV/src/appl/telnet/telnetd/state.c
@@ -1016,7 +1016,8 @@ suboption(void)
return;
settimer(xdisplocsubopt);
subpointer[SB_LEN()] = '\0';
- setenv("DISPLAY", (char *)subpointer, 1);
+ if(setenv("DISPLAY", (char *)subpointer, 1) != 0)
+ errx(1, "cannot set DISPLAY");
break;
} /* end of case TELOPT_XDISPLOC */
@@ -1183,7 +1184,8 @@ suboption(void)
case ENV_USERVAR:
*cp = '\0';
if (valp)
- setenv(varp, valp, 1);
+ if(setenv(varp, valp, 1) != 0)
+ errx(1, "cannot set %s", varp);
else
unsetenv(varp);
cp = varp = (char *)subpointer;
@@ -1202,7 +1204,8 @@ suboption(void)
}
*cp = '\0';
if (valp)
- setenv(varp, valp, 1);
+ if(setenv(varp, valp, 1) != 0)
+ errx(1, "cannot set %s", varp);
else
unsetenv(varp);
break;
diff --git a/kerberosIV/src/appl/telnet/telnetd/telnetd.c b/kerberosIV/src/appl/telnet/telnetd/telnetd.c
index 50bd0ec0328..3e627bc2d4c 100644
--- a/kerberosIV/src/appl/telnet/telnetd/telnetd.c
+++ b/kerberosIV/src/appl/telnet/telnetd/telnetd.c
@@ -776,7 +776,8 @@ Please contact your net administrator");
*/
*user_name = 0;
level = getterminaltype(user_name, sizeof(user_name));
- setenv("TERM", terminaltype ? terminaltype : "network", 1);
+ if(setenv("TERM", terminaltype ? terminaltype : "network", 1) != 0)
+ errx(1, "cannot set TERM");
#ifdef _SC_CRAY_SECURE_SYS
if (secflag) {
diff --git a/kerberosIV/src/lib/auth/afskauthlib/verify.c b/kerberosIV/src/lib/auth/afskauthlib/verify.c
index 6f534917e98..272e3016d08 100644
--- a/kerberosIV/src/lib/auth/afskauthlib/verify.c
+++ b/kerberosIV/src/lib/auth/afskauthlib/verify.c
@@ -277,10 +277,12 @@ afs_gettktstring (void)
}
}
#ifdef KRB5
- setenv("KRB5CCNAME",krb5ccname,1);
+ if(setenv("KRB5CCNAME",krb5ccname,1) != 0)
+ errx(1, "cannot set KRB5CCNAME");
#endif
#ifdef KRB4
- setenv("KRBTKFILE",krbtkfile,1);
+ if(setenv("KRBTKFILE",krbtkfile,1) != 0)
+ errx(1, "cannot set KRBTKFILE");
return krbtkfile;
#else
return "";